emc celerra network server · pdf fileemc® celerra® network server release 5.6.47...

EMC® Celerra® Network ServerRelease 5.6.47

Using FTP on CelerraP/N 300-004-169

REV A05

EMC CorporationCorporate Headquarters:

Hopkintons, MA 01748-91031-508-435-1000

www.EMC.com

Copyright © 1998 - 2009 EMC Corporation. All rights reserved.

Published December 2009

EMC believes the information in this publication is accurate as of its publication date. Theinformation is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATIONMAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TOTHE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires anapplicable software license.

For the most up-to-date regulatory document for your product line, go to the TechnicalDocumentation and Advisories section on EMC Powerlink.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks onEMC.com.

All other trademarks used herein are the property of their respective owners.

Corporate Headquarters: Hopkinton, MA 01748-9103

2 Using FTP on Celerra 5.6.47

Contents

Preface.....................................................................................................5

Chapter 1: Introduction...........................................................................7System requirements...............................................................................................8Restrictions...............................................................................................................8Cautions....................................................................................................................8User interface choices.............................................................................................9Related information................................................................................................9

Chapter 2: Concepts.............................................................................11FTP...........................................................................................................................12FTP for user file access..........................................................................................12FTP daemon...........................................................................................................12User accounts.........................................................................................................12Anonymous FTP....................................................................................................12Home directories and the default working directory......................................13File access permissions.........................................................................................15Internationalization...............................................................................................16Data Mover failover..............................................................................................17FTP Secure connection..........................................................................................17Authentication methods.......................................................................................17

Chapter 3: Configuring.........................................................................19Prerequisites...........................................................................................................20

Disable FTPS on a Data Mover..................................................................20Configure anonymous FTP..................................................................................20Restrict users to their home directory tree.........................................................22

Using FTP on Celerra 5.6.47 3

Deny FTPS access to specific users.....................................................................23Create a logon-banner...........................................................................................24Create a welcome screen......................................................................................26Configure the inactivity time-out period...........................................................28Configure the maximum time-out period.........................................................29Configure a data port............................................................................................30Change the default umask...................................................................................31Configure an SSL control connection.................................................................32Configure an SSL data connection......................................................................33Configure an SSL persona....................................................................................34Configure an SSL protocol connection...............................................................35Postrequisites.........................................................................................................36

Enable FTPS on a Data Mover...................................................................36

Chapter 4: Managing............................................................................37Prerequisites...........................................................................................................38

Disable FTPS on a Data Mover..................................................................38Determine if FTPS is running on a Data Mover................................................38Change the default working directory...............................................................39Specify an SSL control port..................................................................................40Specify an SSL data port.......................................................................................41Change the default SSL cipher suite...................................................................42Postrequisites.........................................................................................................43

Enable FTPS on a Data Mover...................................................................43

Chapter 5: Troubleshooting..................................................................45EMC E-Lab Interoperability Navigator..............................................................46Known problems and limitations.......................................................................46Network problems................................................................................................46EMC Training and Professional Services...........................................................46

Terminology............................................................................................49

Index.......................................................................................................51


Contents

Preface

As part of an effort to improve and enhance the performance and capabilities of its product lines,EMC periodically releases revisions of its hardware and software. Therefore, some functions describedin this document may not be supported by all versions of the software or hardware currently in use.For the most up-to-date information on product features, refer to your product release notes.

If a product does not function properly or does not function as described in this document, pleasecontact your EMC representative.


Special notice conventions

EMC uses the following conventions for special notices:

A caution contains information essential to avoid data loss or damage to the system orequipment.

Important: An important note contains information essential to operation of the software.

Note: A note presents information that is important, but not hazard-related.

Hint: A note that provides suggested advice to users, often involving follow-on activity for aparticular action.

Where to get help

EMC support, product, and licensing information can be obtained as follows:

Product information — For documentation, release notes, software updates, or forinformation about EMC products, licensing, and service, go to the EMC Powerlinkwebsite (registration required) at http://Powerlink.EMC.com.

Troubleshooting — Go to Powerlink, search for Celerra Tools, and select CelerraTroubleshooting from the navigation panel on the left.

Technical support — For technical support, go to EMC Customer Service on Powerlink.After logging in to the Powerlink website, go to Support ➤ Request Support. To opena service request through Powerlink, you must have a valid support agreement.Contact your EMC Customer Support Representative for details about obtaining avalid support agreement or to answer any questions about your account.

Note: Do not request a specific support representative unless one has already been assigned toyour particular system problem.

Your comments

Your suggestions will help us continue to improve the accuracy, organization, and overallquality of the user publications.

Please send your opinion of this document to:

[email protected]


Preface

http://Powerlink.EMC.com

http://powerlink.emc.com


1

Introduction

File Transfer Protocol (FTP) is a client/server protocol that operates overTCP/IP and allows file uploading and downloading across heterogeneoussystems. FTP includes functions to log in to the remote system, listdirectories, and copy files.

This document is part of the EMC Celerra Network Server documentationset and is intended for use by the system administrators responsible forconfiguring and maintaining file storage and network retrievalinfrastructure.

Topics included are:◆ System requirements on page 8◆ Restrictions on page 8◆ Cautions on page 8◆ User interface choices on page 9◆ Related information on page 9


System requirements

Table 1 on page 8 describes the EMC® Celerra® Network Server software, hardware,network, and storage configurations.

Table 1. System requirements

Celerra Network Server version 5.6.47 is required to use Common Internet File System (CIFS) authen-tication for users logging in with domain\username or username@domain.

Software

No specific hardware requirements.Hardware

To enable FTP access to clients that are not on the same local subnet as a Data Mover, a defaultroute and gateway must be specified on the Data Mover.

Network

No specific storage requirements.Storage

Restrictions

CAVA, the virus checker client, on a Data Mover does not check files transferred by usingFTP. Using Celerra AntiVirus Agent provides more information about virus checking on yourCelerra system. Only files accessed by using CIFS are checked for viruses. Files accessed byusing FTP or network file system (NFS) are not checked.

The CIFS service must be started on a Data Mover to allow CIFS authentication for WindowsFTP users. If a Windows user attempts to log in by using a Windows domain name andusername, and if the CIFS service is not active on the Data Mover, the login fails.

FTP does not support CIFS notification.

Cautions

If any of this information is unclear, contact your EMC Customer Support Representativefor assistance.

FTP authentication transmits the username and password across the network in an unencryptedform. FTP Secure (FTPS) uses Secure Sockets Layer (SSL) security to transmit the username andpassword across the network in an encrypted form.


Introduction

User interface choices

This document describes how to configure FTP by using the command line interface (CLI).You cannot use other Celerra management applications to configure FTP.

Related information

Specific information related to the features and functionality described in this document isincluded in:

◆ Configuring and Managing Celerra Networking

◆ Celerra Network Server Command Reference Manual

◆ Celerra Network Server Error Messages Guide

◆ Celerra Network Server Parameters Guide

◆ Configuring and Managing CIFS on Celerra

◆ Managing Celerra Volumes and File Systems Manually

◆ Managing Celerra Volumes and File Systems with Automatic Volume Management

◆ Online Celerra man pages

◆ Using Celerra AntiVirus Agent

◆ Using International Character Sets with Celerra

EMC Celerra Network Server Documentation CD

The EMC Celerra Network Server Documentation CD, supplied with Celerra and alsoavailable on the EMC Powerlink® website, provides the complete set of EMC Celerracustomer publications. After logging in to Powerlink, go to Support ➤ TechnicalDocumentation and Advisories ➤ Hardware/Platforms Documentation ➤ Celerra NetworkServer. On this page, click Add to Favorites. The Favorites section on your Powerlinkhome page provides a link that takes you directly to this page.

To request an EMC Celerra Network Server Documentation CD, send an email request to:

[email protected]

Celerra wizards

Celerra wizards can be used to perform Celerra Manager tasks.UsingWizards to ConfigureCelerra provides you with an overview of the steps required to configure a CelerraNetwork Server by using the Set Up Celerra wizard in Celerra Manager.

User interface choices 9

Introduction



Introduction

2

Concepts

The Celerra Network Server supports FTPS, which is a client/serverprotocol that operates over TCP/IP and allows file uploading anddownloading across heterogeneous systems. FTPS includes functions tolog in to the remote system, list directories, and copy files. You can performFTPS operations by typing commands at a command prompt or by usingan FTP utility that runs under a graphical interface like Windows.

UNIX and Windows users can use FTP to access file systems on a CelerraNetwork Server. Authentication is performed by using the local hosts fileor NIS for UNIX users, and by using CIFS authentication for Windowsusers.

Topics included are:◆ FTP on page 12◆ FTP for user file access on page 12◆ FTP daemon on page 12◆ User accounts on page 12◆ Anonymous FTP on page 12◆ Home directories and the default working directory on page 13◆ File access permissions on page 15◆ Internationalization on page 16◆ Data Mover failover on page 17◆ FTP Secure connection on page 17◆ Authentication methods on page 17


FTP

FTP is a client/server protocol that enables transfer of files across heterogeneous systems.The FTP daemon services the requests from the clients.

FTP for user file access

Before you use FTP, you must enable FTP access to a file system. Any file system mountedon a Data Mover is available for FTP access as long as the FTP daemon, ftpd, is running onthat Data Mover. The file system does not have to be exported or shared to enable access.In a default Data Mover configuration, ftpd is automatically started.Managing Celerra Volumesand File Systems with Automatic Volume Management and Managing Celerra Volumes and FileSystems Manually provide information about creating a file system and mounting it on aData Mover. After logging in, the user is placed in a working directory. Home directoriesand the default working directory on page 13 lists the various considerations for the workingdirectory. By default, if an FTP session is inactive for 15 minutes (900 seconds), the DataMover closes it. To disable FTP access to a particular file system, unmount the file system.

Note: The Celerra FTP server is case-sensitive. Therefore, you must match the case of the name whenchanging directories or accessing files.

FTP daemon

The FTP daemon, ftpd, runs on the Data Mover and services FTP requests from clients. TheFTP daemon is started automatically when the Data Mover starts for the first time. Later,the status of the FTP daemon depends on the last server_ftp command parameters. TheCelerra Network Server Command Reference Manual lists options to manage the FTP serverconfiguration. The FTP daemon is configured by the server_ftp command. Any configurationchange for FTP is reflected when the FTP daemon is restarted. Restarting the Data Moveris not required.

User accounts

At the FTP login prompt, a user can select either a UNIX username or a Windows domainand username (in the format domain\username or username@domain). If the user logs inwithout a domain name, UNIX authentication is used.

Anonymous FTP

A system that supports anonymous FTP allows access to files by the users without a useraccount on the system. The anonymous FTP facility allows a user to log in with the username


Concepts

anonymous or ftp. The system prompts for a password, to which the user is expected torespond with some identification, usually a username or an email address.

To allow anonymous FTP access to a Data Mover, the administrator must configure a userwith a username of ftp in /.etc/passwd or in the NIS. The attributes that a user named ftpmust have are:

◆ Any UID and GID, except -2 or those of root (0 and 1)◆ A home directory configured and available on the Data Mover◆ The password removed or disabled

On a Celerra system, an anonymous FTP user’s working directory is the home directory ofthe user named ftp. If the user named ftp does not have a home directory and has access tothe root file system, then the root file system (/) is the working directory for anonymousFTP. If the user named ftp does not have a home directory and does not have access to theroot file system, then anonymous FTP login fails. An anonymous user can change only todirectories beneath the working directory.

Note: An access log is commonly used by system administrators to monitor anonymous FTP use onthe system. There is no FTP access log on a Data Mover.

Home directories and the default working directory

When a Data Mover accepts a user’s login for an FTP session, the user is placed in a workingdirectory. The user’s working directory depends on several factors:

◆ Is the homedir parameter for the server_ftp command specified?◆ Is the defaultdir parameter for the server_ftp command listed?◆ Is the user anonymous, or a UNIX (NFS) or CIFS user?◆ For UNIX users, does the user have a home directory specified in NIS or /.etc/passwd?◆ For Windows users, does the user have a home directory specified in /.etc/homedir?◆ Is the user’s home directory available on the Data Mover?◆ Does the user have access to the home directory?◆ Is there a default FTP working directory configured on the Data Mover?

Restrict users to their home directory tree on page 22 restricts users to their home directoryby using the homedir parameter with the server_ftp command. Change the default workingdirectory on page 39 specifies the working directory when the defaultdir parameter isspecified in the server_ftp command. Table 2 on page 14 summarizes the FTP behavior forthe other conditions.

Home directories and the default working directory 13

Concepts

Table 2. FTP working directory

No home directory specifiedHome directory not mounted onData Mover or no access grant-ed

Home directory mounted onData Mover and access isgranted

User type

◆ User’s working directory is theData Mover root directory (/),if the user has access.1

◆ If access to / is denied andthe ftpd defaultdir system pa-rameter is set, the user’sworking directory is the de-fault working directory.

◆ If there is no default workingdirectory, the login fails.

◆ User’s working directory is theData Mover root directory (/),if the user has access.1

◆ If access to / is denied andthe ftpd defaultdir system pa-rameter is set, the user’sworking directory is the de-fault working directory.

◆ If there is no default workingdirectory, the login fails.

User’s working directory is thehome directory as specified in the/.etc/passwd file or NIS. If thehome directory does not start witha forward slash (/), one is addedby the system.2

NFS

◆ User’s working directory is theData Mover root directory (/),if the user has access.1,3

◆ If the user named ftp is de-nied access to the root direc-tory, the login fails.

Login fails.User’s working directory is thehome directory for the user namedftp, as specified in the /.etc/pass-wd file or NIS. If the home directo-ry does not start with a forwardslash (/), one is added by the sys-tem.2

Anonymous

◆ If the ftpd defaultdir systemparameter is set, the user’sworking directory is the de-fault working directory.

◆ If there is no default workingdirectory, the user’s workingdirectory is the Data Moverroot directory (/), if the userhas access.1,3

◆ If access to / is denied, thelogin fails.

Login fails.User’s working directory is thehome directory as specified in the/.etc/homedir file.4

CIFS

1 If a UNIX user does not have a home directory specified (that is, the home directory is null, ““), the system prefixes aforward slash to ““ and uses the root directory (/) as the user’s working directory if the user has permission to access thatdirectory.2 For example, if the home directory in NIS or /.etc/passwd is home/user1, the system prefixes a forward slash and uses/home/user1 as the user’s home directory.3 With the default configuration, the anonymous user and CIFS users do not have access to the root directory.4 The home directory feature must be enabled in the Data Mover CIFS configuration. Configuring and Managing CIFS onCelerra provides information about enabling, disabling, or configuring CIFS-user home directories.

For all users, if the user’s home directory is available on a Data Mover and the user logs inby using FTP, the FTP working directory becomes the user’s home directory.


Concepts

Note: You can use a backward slash (\) or a forward slash (/) as a directory separator.

For UNIX users or the anonymous FTP user, if the user’s home directory does not start witha forward slash (/), the system adds the forward slash. Therefore, if the user’s home directoryis not set, the system uses the root directory as the home directory. If the user’s home directoryis set, but it is unavailable, the system uses the root directory as the home directory. ForUNIX users, if the user does not have access to the root directory, then the system uses thedefault working directory. If the default working directory is not set, the login fails. If theanonymous user does not have access to the root directory, the login fails.

For CIFS users, if the user’s home directory is not set and the default working directory isset, the system uses the default working directory. If the user does not have a home directoryand there is no default working directory, the system uses the root directory. In this case, ifthe user does not have access to the root directory, the login fails. If a CIFS user has a homedirectory and the directory is unavailable, the login fails.

File access permissions

The Celerra system defines access-checking policies that control how files are accessed in amultiprotocol environment such as NFS, FTP, or CIFS since NFS and CIFS implement accesschecking differently. Any one of the access-checking policies from the list can be specifiedwhile mounting a file system:

◆ NATIVE (default)◆ UNIX◆ NT◆ SECURE◆ MIXED◆ MIXED_COMPAT

Access policies are set according to the file system. Table 3 on page 15 summarizes theseaccess-checking policies for NFS and CIFS users.

Table 3. Access-checking policies for CIFS/FTP and NFS/FTP users

NFS/FTP clientsCIFS/FTP clientsAccess-checking policy

UNIX rights are checked.Access control list (ACL) is checked.NATIVE (default)

ACL and UNIX rights are checked.UNIX

ACL and UNIX rights are checked.ACL is checked.NT

ACL and UNIX rights are checked.SECURE

File access permissions 15

Concepts

Table 3. Access-checking policies for CIFS/FTP and NFS/FTP users (continued)

NFS/FTP clientsCIFS/FTP clientsAccess-checking policy

ACL is checked. If there is no ACL, one is created based on the UNIX mode bits. Accessis also determined by the ACL.

NFSv4 clients can manage the ACL.

MIXED

A modification to the UNIX mode bits rebuildsthe ACL permissions, but the UNIX rights arenot checked.

An ACL modification rebuilds the UNIX modebits, but the UNIX rights are not checked.

If the permissions of a file or directory werelast set or changed by an NFS client, theUNIX rights are checked and the ACL is re-built but is not checked.

If the permissions of a file or directory werelast set or changed by a CIFS client, the ACLis checked and the UNIX rights are rebuiltbut are not checked.


If the permissions of a file or directory werelast set or changed by a CIFS client, the ACLis checked and the UNIX rights are rebuiltbut are not checked.

If the permissions of a file or directory werelast set or changed by an NFS client, theUNIX rights are checked and the ACL is re-built but is not checked.


MIXED_COMPAT

Note: When accessed from a Windows client, ACLs are only checked if the CIFS user authentication method is set tothe recommended default, NT. This is set by using the -add security option in the server_cifs command.

FTP on the Data Mover obeys the access-checking policies in the NFS/FTP column of Table3 on page 15 if the user logs in by using a UNIX username. FTP on the Data Mover obeysthe access-checking policies in the CIFS/FTP column if the user logs in by using a Windowsdomain and username.

When a user creates a file or directory through FTP, the access permissions on the file dependon the umask in effect on the FTP client. This might result in the same file access permissionsas if the same user created the file through NFS or CIFS. You can check the umask by runningthe quote site umask command in the FTP session. The documentation for your FTP clientprovides more information.

Internationalization

Celerra Network Server handles international characters differently for NFS and FTP UNIXclients than for CIFS and FTP Windows clients. For NFS and FTP UNIX clients, Celerratranslates characters in the client file and directory names, but not in user or group names.For CIFS and FTP Windows clients, Celerra translates client filenames, directory names,user and group names, and local groups.

When Unicode (which uses UTF-8 encoding) is enabled, the system can automaticallytranslate the client data as specified previously. For encodings other than UTF-8, there is noautomatic mechanism for Celerra to determine the client’s encoding. In this case, the client’s


Concepts

native encoding must be identified for the Data Mover. Using International Character Setswith Celerra provides more information on internationalization.

Data Mover failover

During a Data Mover failover, any FTP sessions active when the failure occurred areautomatically disconnected. Restart those sessions manually when the failover is completed.

FTP Secure connection

FTPS connections are very similar to FTP connections, except that FTP traffic is sent overSSL when FTPS connections are used. SSL provides encryption and authentication capabilities.The default ports for control and data requests over FTPS are 990 and 989, respectively.Other ports can also be used for FTPS based on the client FTP software configuration andthe SSL parameters set on the Data Mover by the server_ftp command. FTPS connectionsto a client require a certificate signed by the Certificate Authority (CA) to be installed onthe Data Mover. Optionally, a CA certificate may also be installed on the client. This enablesthe client to check the signature sent by the Data Mover.

The keys and certificates used with SSL are managed by using public key infrastructure(PKI). PKI is available through the CLI and Celerra Manager.

Note: Celerra supports FTPS connections over SSL. Secure File Transfer Protocol (SFTP) connections,which use Secure Shell (SSH) protocol, are not supported.

Authentication methods

FTPS login is done through anonymous and simple authentication methods. The optionsyou select when configuring the server_ftp command determine which authenticationmethod is used:

◆ Anonymous (with no SSL)◆ Simple (password with no SSL)◆ Anonymous (no password, no SSL)◆ Anonymous over SSL (SSL with no password)◆ SSLv3 (password over SSL)◆ tls:simple (password over SSL)◆ Both SSLv3 and tls:simple (password over SSL)◆ SSL-based (client certificate subject is used for authorization)

Data Mover failover 17

Concepts

Anonymous authentication means no authentication occurs and the Data Mover uses ananonymous login to access the FTPS server. Simple or proxy authentication means the DataMover must provide a username and password to access the FTP server.

The following rules determine which authentication method is used:

◆ If you do not specify the username option or enable SSL, anonymous authentication isused (no SSL).

◆ If you specify the username and password options, but do not enable SSL, password-basedauthentication is used (no SSL).

◆ If you specify the username and password options and enable SSL, a password-basedauthentication is used (over SSL), whether or not the sslpersona is configured.

◆ If you do not specify the username option and do not configure the sslpersona, but enableSSL, an anonymous authentication is used after the SSL connection is established.

◆ If you do not specify the username option, but enable SSL and configure the sslpersona,the anonymous authentication without SSL is used, unless the FTP-based server isconfigured to require client certificates.

Note: When the sslpersona is configured (whether it is used or not), there must be a key and validpublic key certificate associated with the specified persona or the SSL connection attempt fails. Youmust specify the sslpersona whenever the FTP-based server is configured to require the client certificate,or the SSL connection fails because it is rejected by the FTP-based server.

TheCelerra Security Configuration Guide provides information about planning considerationsfor PKI, personas, CA certificates, and cipher suites supported by Celerra.


Concepts

3

Configuring

The tasks to configure FTP are:◆ Prerequisites on page 20◆ Configure anonymous FTP on page 20◆ Restrict users to their home directory tree on page 22◆ Deny FTPS access to specific users on page 23◆ Create a logon-banner on page 24◆ Create a welcome screen on page 26◆ Configure the inactivity time-out period on page 28◆ Configure the maximum time-out period on page 29◆ Configure a data port on page 30◆ Change the default umask on page 31◆ Configure an SSL control connection on page 32◆ Configure an SSL data connection on page 33◆ Configure an SSL persona on page 34◆ Configure an SSL protocol connection on page 35◆ Postrequisites on page 36


Prerequisites

Before you begin

To configure FTPS, you need to stop the FTP daemon.

Disable FTPS on a Data Mover

To stop the FTP daemon or disable FTPS, perform this procedure.

Action

Disable FTPS on a Data Mover by using this command syntax:

$ server_ftp <movername> -service -stop

where:

<movername> = name of the specified Data Mover

Example:

To disable FTPS on server_2, type:

$ server_ftp server_2 -service -stop

Output

server_2: done

Configure anonymous FTP

ActionStep

Log in to the Control Station as root by typing:1.

$ su

and typing the root password at the prompt.

Change to the /nas/sbin directory by typing:2.

# cd /nas/sbin

Add the ftp user by using this command syntax:3.

# /nas/sbin/server_user <movername> -add ftp

where:

<movername> = Data Mover on which you want to enable anonymous FTP


Configuring

ActionStep

Example:

Add the ftp user by typing:

# /nas/sbin/server_user server_2 -add ftp

At the prompts, create the user with these attributes:

◆ Any UID and GID, except -2 or those reserved for the root user (0 and 1)

◆ Home directory specified and available on the Data Mover

Note: Managing Administrative Accounts on Celerra provides more information on adding users and the serv-er_user command.

Disable the ftp user’s password by using this command syntax:4.

#/nas/sbin/server_user <movername> -passwd -disable ftp

where:

<movername> = Data Mover on which you want to disable a user’s password

Example:

To disable the ftp user’s password, type:

# /nas/sbin/server_user server_2 -passwd -disable ftp

Configure anonymous FTP 21

Configuring

Restrict users to their home directory tree

To restrict users to their home directory tree; that is, to prevent them from accessing otheruser’s directories, perform this procedure. If the home directory is not reachable, the loginis denied.

Action

Restrict users to their home directory tree by using this command syntax:

$ server_ftp <movername> -modify -homedir disable

where:


Example:

To restrict users to their home directory tree, type:

$ server_ftp server_2 -modify -homedir disable

Output

server_2 : done

FTPD CONFIGURATION==================State : stoppedControl Port : 256Data Port : 257Default dir : /Home dir : disableKeepalive : 1High watermark : 65536Low watermark : 32768Timeout : 900Max timeout : 7200Read size : 8192Write size : 49152Umask : 27Max connection : 65535

SSL CONFIGURATION=================Control channel mode : disableData channel mode : disablePersona : defaultProtocol : defaultCipher : defaultControl port : 990Data port : 989


Configuring

Deny FTPS access to specific users

ActionStep

Create a new text file with the name ftp-deny.1.

Using a text editor, open the ftp-deny file and create a list of usernames, one per line, to which you want to denyFTP access on the Data Mover.

2.

Upload ftp-deny to the Data Mover by using this command syntax:3.

$ server_file <movername> -put <filename>

where:

<movername> = name of the Data Mover where the file is to be copied

<filename> = name of the file being copied to the Data Mover

Example:

To upload the file on server_2, type:

$ server_file server_2 -put ftp-deny

Restrict FTPS access to specific users by using this command syntax:4.

$ server_ftp <movername> -modify -deniedusers <filename>

where:



Example:

To restrict FTP access to specific users on server_2, type:

$ server_ftp server_2 -modify -deniedusers ftp-deny

Note: After the ftp-deny file is loaded on the Data Mover and the -deniedusers option is added to the server_ftpcommand, updates to ftp-deny are automatically picked up and do not require a Data Mover restart.

Deny FTPS access to specific users 23

Configuring

ActionStep

Output:

server_2 : done

FTPD CONFIGURATION==================State : stoppedControl Port : 256Data Port : 257Default dir : /Home dir : disableKeepalive : 1High watermark : 65536Low watermark : 32768Denied users conf file : /.etc/ftp-denyTimeout : 900Max timeout : 7200Read size : 8192Write size : 49152Umask : 27Max connection : 65535


Create a logon-banner

Users see a welcome screen before they log in. This file might, for example, display a messageof the day or an update for FTP users.

ActionStep

Create a new text file with the name logon-banner.

Note: The logon-banner file for FTPS might, for example, prompt users to type their username and passwordto access the server.

1.

Using a text editor, open the logon-banner file and create your login message.2.


Configuring

ActionStep

Upload logon-banner to the Data Mover by using this command syntax:3.


where:

<movername> = name of the Data Mover where the file is to be copied


Example:

To upload the logon-banner to server_2, type:

$ server_file server_2 -put logon-banner

Create a logon-banner for FTP by using this command syntax:4.

$ server_ftp <movername> -modify -welcome <filename>

where:



Example:

To create a logon-banner on server_2, type:

$ server_ftp server_2 -modify -welcome logon-banner

Note: After the logon-banner file is loaded on the Data Mover and the -welcome option is added to the server_ftpcommand, updates to logon-banner are automatically picked up and do not require a Data Mover restart.

Output:

server_2 : done

FTPD CONFIGURATION==================State : stoppedControl Port : 256Data Port : 257Default dir : /Home dir : disableKeepalive : 1High watermark : 65536Low watermark : 32768Welcome file : /.etc/logon-bannerTimeout : 900Max timeout : 7200Read size : 8192Write size : 49152Umask : 27Max connection : 65535

Create a logon-banner 25

Configuring

ActionStep


Create a welcome screen

Users see a welcome screen after they have successfully logged in. This file might, forexample, display a message of the day or an update for FTP users.

ActionStep

Create a new text file with the name motd.1.

Using a text editor, open the motd file and create your welcome message.2.

Upload the motd file to the Data Mover by using this command syntax:3.


where:

<movername> = name of Data Mover where the file is to be copied

<filename> = name of file being copied to the Data Mover

Example:

To upload the motd file to server_2, type:

$ server_file server_2 -put motd

Create a welcome screen for FTPS by using this command syntax:4.

$ server_ftp <movername> -modify -motd <filename>

where:

<movername> = name of the specified Data Mover where the file is to be copied

<filename> = name of file being copied to the Data Mover

Note: After the logon-banner file is loaded on the Data Mover and the -motd option is added to the server_ftpcommand, updates to message are automatically picked up and do not require a Data Mover restart.


Configuring

ActionStep

Example:

To configure a welcome screen on server_2, type:

$ server_ftp server_2 -modify -motd message

Output:

server_2 : done

FTPD CONFIGURATION==================State : stoppedControl Port : 256Data Port : 257Default dir : /Home dir : disableKeepalive : 1High watermark : 65536Low watermark : 32768Motd file : /.etc/motdTimeout : 900Max timeout : 7200Read size : 8192Write size : 49152Umask : 27Max connection : 65535


Create a welcome screen 27

Configuring

Configure the inactivity time-out period

Action

Configure the inactivity time-out period by using this command syntax:

$ server_ftp <movername> -modify -timeout <timeout>

where:


Example:

To configure the inactivity time-out period on server_2, type:

$ server_ftp server_2 -modify -timeout 1000

Output

server_2 : done




Configuring

Configure the maximum time-out period

Action

Configure the maximum time-out period by using this command syntax:

$ server_ftp <movername> -modify -maxtimeout <maxtimeout>

where:


Example:

To configure the maximum time-out period on server_2, type:

$ server_ftp server_2 -modify -maxtimeout 6000

Output

server_2 : done



Configure the maximum time-out period 29

Configuring

Configure a data port

To specify a local TCP port for FTPS data connections, perform this procedure.

Action

Configure a data port for FTPS by using this command syntax:

$ server_ftp <movername> -modify -dataport <dataport>

where:


Example:

To configure a data port for FTPS on server_2, type:

$ server_ftp server_2 -modify -dataport 25

Output

server_2 : done




Configuring

Change the default umask

To configure the default umask to create a file or directory from the FTPS daemon, performthis procedure.

Action

Change the default umask for FTPS by using this command syntax:

$ server_ftp <movername> -modify -umask <umask>

where:


Example:

To change the default umask for FTPS on server_2, type:

$ server_ftp server_2 -modify -umask 077

Output

server_2 : done



Change the default umask 31

Configuring

Configure an SSL control connection

To configure an FTPS connection with SSL for control encryption, perform this procedure.

Action

Configure an SSL control connection for FTPS by using this command syntax:

$ server_ftp <movername> -modify -sslcontrol(no|allow|require|requireforauth)

where:


Example:

To allow an SSL control connection for FTPS on server_2, type:

$ server_ftp server_2 -modify -sslcontrol allow

Note: Before the server can be configured with SSL, the Data Mover must be set up with a private key and a public cer-tificate.This key and certificate are identified by using a persona. In addition, the necessary CA certificates used to identifytrusted servers must be imported into the Data Mover. Use the PKI feature of Celerra to manage the use of certificatesprior to configuring the SSL operation.

Output

server_2 : doneFTPD CONFIGURATION==================State : stoppedControl Port : 256Data Port : 257Default dir : /Home dir : disableKeepalive : 1High watermark : 65536Low watermark : 32768Timeout : 900Max timeout : 7200Read size : 8192Write size : 49152Umask : 27Max connection : 65535SSL CONFIGURATION=================Control channel mode : allowData channel mode : disablePersona : defaultProtocol : defaultCipher : defaultControl port : 990Data port : 989


Configuring

Configure an SSL data connection

To configure an FTPS connection with SSL for data encryption, perform this procedure.

Action

Configure an SSL data connection for FTPS by using this command syntax:

$ server_ftp <movername> -modify -ssldata (allow|require|deny)

where:


Example:

To allow an SSL data connection for FTPS on server_2, type:

$ server_ftp server_2 -modify -ssldata allow

Note: These options are set on the server, but are dependent on ftp client capabilities. Some client capabilities may beincompatible with server settings.

Output

server_2 : done


SSL CONFIGURATION=================Control channel mode : defaultData channel mode : allowPersona : defaultProtocol : defaultCipher : defaultControl port : 990Data port : 989

Configure an SSL data connection 33

Configuring

Configure an SSL persona

Action

Configure an SSL persona for FTPS by using this command syntax:

$ server_ftp <movername> -modify -sslpersona (anonymous|default|<persona_name>)

where:


Example:

To allow an anonymous SSL persona for FTPS on server_2, type:

$ server_ftp server_2 -modify -sslpersona anonymous

Output

server_2 : done


SSL CONFIGURATION=================Control channel mode : disableData channel mode : disablePersona : anonymousProtocol : defaultCipher : defaultControl port : 990Data port : 989


Configuring

Configure an SSL protocol connection

Action

Configure an SSL protocol for FTPS by using this command syntax:

$ server_ftp <movername> -modify -sslprotocol (default|ssl3|tls1|all)

where:


Example:

To allow an SSLv3 protocol for FTPS on server_2, type:

$ server_ftp server_2 -modify -sslprotocol ssl3

Output

server_2 : done


SSL CONFIGURATION=================Control channel mode : disableData channel mode : disablePersona : defaultProtocol : ssl3Cipher : defaultControl port : 990Data port : 989

Configure an SSL protocol connection 35

Configuring

Postrequisites

After you finish

After you configure an FTPS option, you need to restart the FTP daemon for the changes totake effect.

Enable FTPS on a Data Mover

To start the FTP daemon after making the configuration changes, perform this procedure.

Action

Enable FTPS on a Data Mover by using this command syntax:

$ server_ftp <movername> -service -start

where:


Example:

To enable FTPS on server_2, type:

$ server_ftp server_2 -service -start

Output

server_2: done


Configuring

4

Managing

The tasks to manage FTP are:◆ Prerequisites on page 38◆ Determine if FTPS is running on a Data Mover on page 38◆ Change the default working directory on page 39◆ Specify an SSL control port on page 40◆ Specify an SSL data port on page 41◆ Change the default SSL cipher suite on page 42◆ Postrequisites on page 43


Prerequisites

Before you begin

To manage FTPS, you need to stop the FTP daemon.

Disable FTPS on a Data Mover

To stop the FTP daemon or disable FTPS, perform this procedure.

Action

Disable FTPS on a Data Mover by using this command syntax:

$ server_ftp <movername> -service -stop

where:


Example:

To disable FTPS on server_2, type:

$ server_ftp server_2 -service -stop

Output

server_2: done

Determine if FTPS is running on a Data Mover

Action

Determine if FTPS is running on the Data Mover by using this command syntax:

$ server_ftp <movername> -service -status

where:

<movername> = name of the Data Mover

Example:

To determine if FTPS is running on server_2, type:

$ server_ftp server_2 –service -status

Output

server_2: done

State : running


Managing

Change the default working directory

Home directories and the default working directory on page 13 provides more informationabout the default working directory.

Action

Change the default working directory by using this command syntax:

$ server_ftp <movername> -modify -defaultdir <path>

where:

<movername> = name of the Data Mover

<path> = path of the new working directory

Example:

To set the defaultdir parameter to /dir1, type:

$ server_ftp server_2 -modify -defaultdir /dir1

Output

server_2 : done

FTPD CONFIGURATION==================State : stoppedControl Port : 256Data Port : 257Default dir : /dir1Home dir : disableKeepalive : 1High watermark : 65536Low watermark : 32768Timeout : 900Max timeout : 7200Read size : 8192Write size : 49152Umask : 27Max connection : 65535


Change the default working directory 39

Managing

Specify an SSL control port

Action

Configure an SSL control port for FTPS by using this command syntax:

$ server_ftp <movername> -modify -sslcontrol(no|allow|require|requireforauth)

where:


Example:

To enable the SSL control port for FTPS on server_2, type:

$ server_ftp server_2 -modify -sslcontrol allow

Output

server_2 : done


SSL CONFIGURATION=================Control channel mode : allowData channel mode : disablePersona : defaultProtocol : defaultCipher : defaultControl port : 990Data port : 989


Managing

Specify an SSL data port

Action

Configure an SSL control port for FTPS by using this command syntax:

$ server_ftp <movername> -modify -ssldata (no|allow|require)

where:


Example:

To enable the SSL control port for FTPS on server_2, type:

$ server_ftp server_2 -modify -ssldata allow

Note: The -ssldata option can be set only if the -sslcontrol option is set to allow, require, or requireforauth.

Output

server_2 : done


SSL CONFIGURATION=================Control channel mode : allowData channel mode : allowPersona : defaultProtocol : defaultCipher : defaultControl port : 990Data port : 989

Specify an SSL data port 41

Managing

Change the default SSL cipher suite

Action

Change the default SSL cipher suite for FTPS by using this command syntax:

$ server_ftp <movername> -sslcipher (default|<cipher_suite>)

where:


Example:

To change the default SSL cipher suite FTPS on server_2 to a 40-bit strength, type:

$ server_ftp server_2 -sslcipher 40

Output

server_2 : done


SSL CONFIGURATION=================Control channel mode : disableData channel mode : disablePersona : anonymousProtocol : defaultCipher : 40Control port : 990Data port : 989


Managing

Postrequisites

After you finish

After you make changes to an FTPS option, you need to restart the FTP daemon for thechanges to take effect.

Enable FTPS on a Data Mover

To start the FTP daemon after making the configuration changes, perform this procedure.

Action

Enable FTPS on a Data Mover by using this command syntax:

$ server_ftp <movername> -service -start

where:


Example:

To enable FTPS on server_2, type:

$ server_ftp server_2 -service -start

Output

server_2: done

Postrequisites 43

Managing


Managing

5

Troubleshooting

As part of an effort to continuously improve and enhance the performanceand capabilities of its product lines, EMC periodically releases new versionsof its hardware and software. Therefore, some functions described in thisdocument may not be supported by all versions of the software orhardware currently in use. For the most up-to-date information on productfeatures, refer to your product release notes.

If a product does not function properly or does not function as describedin this document, please contact your EMC Customer SupportRepresentative.

Problem Resolution Roadmap for Celerra contains additional informationabout using Powerlink and resolving problems.

Topics included are:◆ EMC E-Lab Interoperability Navigator on page 46◆ Known problems and limitations on page 46◆ Network problems on page 46◆ EMC Training and Professional Services on page 46



EMC E-Lab Interoperability Navigator

The EMC E-Lab™ Interoperability Navigator is a searchable, web-based application thatprovides access to EMC interoperability support matrices. It is available athttp://Powerlink.EMC.com. After logging in to Powerlink, go to Support ➤ Interoperabilityand Product LifeCycle Information ➤ E-Lab Interoperability Navigator.

The EMC NAS Support Matrix is available on Powerlink. It provides definitive informationon supported software and hardware, such as backup software, Fibre Channel switches,and application support for Celerra network-attached storage (NAS) products.

Note: The EMC NAS Support Matrix is for EMC use only. Do not share this information with customers.

Known problems and limitations

If a user reports a problem logging in by using FTP, first check that the user has a validaccount in the local password file on the Data Mover, in NIS for UNIX users, or in theWindows domain for Windows users. If the user’s account appears to be valid, Table 4 onpage 46 might help you determine the source of the problem.

Table 4. FTP user login problems and workarounds

WorkaroundSymptomKnown problem

Ensure that the file system that containsthe user’s home directory is mounted onthe Data Mover.

Home directory not available.Valid Windows user login is rejected.

Enable home directories in CIFS.Home directory not enabled in CIFS.

Network problems

Some problems that appear to be FTP connection problems might be more general networkproblems. Configuring and Managing Celerra Networking provides more information abouttroubleshooting problems with the network attached to a Celerra system.

EMC Training and Professional Services

EMC Customer Education courses help you learn how EMC storage products work togetherwithin your environment in order to maximize your entire infrastructure investment. EMCCustomer Education features online and hands-on training in state-of-the-art labsconveniently located throughout the world. EMC customer training courses are developed


Troubleshooting



and delivered by EMC experts. Go to EMC Powerlink at http://Powerlink.EMC.com forcourse and registration information.

EMC Professional Services can help you implement your Celerra Network Server efficiently.Consultants evaluate your business, IT processes, and technology and recommend waysyou can leverage your information for the most benefit. From business plan toimplementation, you get the experience and expertise you need, without straining your ITstaff or hiring and training new personnel. Contact your EMC representative for moreinformation.

EMC Training and Professional Services 47

Troubleshooting



Troubleshooting

Terminology

A

access control list (ACL)List of access control entries (ACEs) that provide information about the users and groups allowedaccess to an object.

C

Celerra AntiVirus Agent (CAVA)Application developed by EMC that runs on a Windows server and communicates with astandard antivirus engine to scan CIFS files stored on a Celerra Network Server.

See also AV engine, AV server, and VC client.

Certificate Authority (CA)Trusted third party that creates and digitally signs public key certificates.

Certificate Authority CertificateDigitally signed association between an identity (a Certificate Authority) and a public key tobe used by the host to verify digital signatures on Public Key Certificates.

F

File Transfer Protocol (FTP)High-level protocol for transferring files from one machine to another. Implemented as anapplication-level program based on the OSI model, FTP uses the TCP protocol.

H

home directorySpecial directory reserved for a particular user, it contains files and programs for the user. In aWindows environment, the home directory is often specified in a user's profile so that uponlogin, the home directory is automatically assigned to a network drive.


I

internationalization (I18N)The process of generalizing software such that it can be made to handle various languages andlocales.

N

network file system (NFS)Network file system (NFS) is a network file system protocol allowing a user on a client computerto access files over a network as easily as if the network devices were attached to its local disks.

Network Information Service (NIS)Distributed data lookup service that shares user and system information across a network,including usernames, passwords, home directories, groups, hostnames, IP addresses, andnetgroup definitions.

P

public key infrastructure (PKI)Means of managing private keys and associated public key certificates for use in public keycryptography. It is a framework which allows the creation of a certificate which is used by SSL.

S

Secure Sockets Layer (SSL)Security protocol that provides encryption and authentication. It encrypts data and providesmessage and server authentication. It also supports client authentication if required by theserver.

U

UnicodeFamily of universal character encoding standards used for representation of text for computerprocessing.

UTF-8 (8-bit Unicode Transformation Format)Multibyte encoding form that uses an algorithmic mapping scheme to convert every Unicodevalue to a unique 1- to 4-byte sequence with no embedded null characters.

See Unicode or UCS Transformation Format-8.


Terminology

Index

Aaccess permissions 15anonymous FTP

home directory 15overview 13

API. See Celerra FileMover API 22, 30, 31, 32, 33authentication

CIFS 8for FTP 8passwords with FTP 8

CCAVA

definition 8FTP restrictions 8

Celerra AntiVirus Agent 8Celerra FileMover API 8, 22, 30, 31, 32, 33

configuringaccess based on IP address 22, 30, 31, 32, 33

CIFSaccess checking with FTP 16authentication with FTP 8login 12

Common Internet File System 8configuring

access based on IP address 22, 30, 31, 32, 33data port for FTP 33welcome screen 26

Configuringanonymous FTP 20

DData Mover

configuring

Data Mover (continued)configuring (continued)

access based on IP address 22, 30, 31, 32, 33

failover 17diagnosing login problems, login problems,diagnosing in FTP 46

Ffailover, FTP and 17FTP

access, denying to specific users 23and the umask 16anonymous 13authentication

passwords 8ftpd

overview 12

Hhome directory 13, 15

for FTP session 13

Llogin problems, diagnosing in FTP 46logon-banner, creating 24

Ooverview


overview (continued)ftpd 12

Rrestrictions with CAVA 8

Sserver_user

adding anonymous FTP user 20removing a user's password 21

session timeout 12

Ttroubleshooting 45

Uumask, and FTP 16

UNIX login for FTP 12user accounts for FTP 12users, restricting to home directory tree 22

Vvirus checker. See CAVA 8

WWindows

access checking with FTP 16authentication with FTP 8


Index

emc celerra network server · pdf fileemc® celerra® network server release 5.6.47...

Documents